Security & Trust Center

Your trust is our foundation. Learn how we protect your data.

Security by Design: Docyment is built from the ground up with healthcare-grade security and privacy protections. Patient data never leaves secure, encrypted environments.

At Docyment, we understand that handling healthcare data requires the highest levels of security, privacy, and compliance. This Trust Center provides transparency into our security practices, compliance standards, and commitment to protecting sensitive medical information.

🛡️ Core Security Principles

Privacy by Design

Privacy considerations are built into every aspect of our platform from the initial design phase.

Zero Trust Architecture

Every access request is verified, authenticated, and authorized before granting access to any data.

Data Minimization

We collect and process only the minimum data necessary to provide our clinical documentation services.

Continuous Security

Security monitoring, testing, and improvement are ongoing processes, not one-time implementations.

🔐 Technical Security Measures

Encryption

Data in Transit: All data transmission uses TLS 1.3+ encryption with perfect forward secrecy

Data at Rest: AES-256 encryption for all stored data with hardware security modules (HSMs)

Database Encryption: Transparent data encryption (TDE) with regular key rotation

Application-Level: Field-level encryption for particularly sensitive data elements

Access Controls

Role-Based Access Control (RBAC): Granular permissions based on user roles and responsibilities

Multi-Factor Authentication (MFA): Required for all system access, including TOTP and hardware keys

Single Sign-On (SSO): Integration with healthcare organization identity providers

Least Privilege: Users receive minimum permissions necessary for their role

Infrastructure Security

Cloud Security: Hosted on enterprise-grade cloud infrastructure with 99.9% uptime SLA

Network Segmentation: Isolated networks with firewall protections and intrusion detection

Container Security: Containerized applications with image scanning and runtime protection

Backup & Recovery: Automated encrypted backups with point-in-time recovery capabilities

📋 Compliance & Standards

✅ Current Compliance

  • UK GDPR: Full compliance with UK data protection regulations
  • Data Protection Act 2018: Meets UK data protection requirements
  • NHS Data Security Standards: Aligned with NHS data security and protection toolkit
  • Caldicott Principles: Adherence to NHS information governance principles

🔄 In Progress

  • ISO 27001: Information security management certification (applying 2025)
  • SOC 2 Type II: Security and availability controls audit (2025)
  • Cyber Essentials Plus: UK government cybersecurity certification (2025)
  • MHRA Registration: Medical device registration (if applicable, under review)

🏥 Healthcare Data Protection

AI Model Training

Absolute Commitment: Patient data is NEVER used to train, develop, or improve our AI models. This is a fundamental principle built into our architecture and contracts.

  • • Contractual guarantees with all AI service providers
  • • Technical controls preventing data flow to training systems
  • • Regular audits to verify compliance

Data Residency

UK/EU Hosting: All patient data is stored and processed within the UK and EU, with strict controls on any international transfers.

  • • Primary data centers located in London and Dublin
  • • Backup facilities within UK/EU jurisdictions
  • • No patient data stored outside approved territories

Data Retention & Deletion

Controlled Lifecycle: Patient data is retained only as long as necessary and securely deleted when no longer needed.

  • • Automated deletion schedules based on data controller instructions
  • • Secure cryptographic deletion methods
  • • Certificate of destruction provided upon request

🔍 Security Operations

Monitoring & Detection

  • • 24/7 security monitoring and alerting
  • • Advanced threat detection and response
  • • Behavioral analytics for anomaly detection
  • • Comprehensive audit logging

Incident Response

  • • Documented incident response procedures
  • • 24-hour breach notification commitment
  • • Forensic investigation capabilities
  • • Customer communication protocols

🧪 Security Testing & Validation

Penetration Testing: Annual third-party penetration testing by certified security firms

Vulnerability Management: Regular vulnerability scans and prompt patching procedures

Code Security: Static and dynamic application security testing (SAST/DAST)

Dependency Scanning: Automated scanning for vulnerabilities in third-party libraries

Security Reviews: Comprehensive security reviews for all new features

⚡ Business Continuity

High Availability

  • • 99.9% uptime service level agreement
  • • Multi-region redundancy and failover
  • • Load balancing and auto-scaling
  • • Real-time health monitoring

Disaster Recovery

  • • Recovery time objective (RTO): 4 hours
  • • Recovery point objective (RPO): 1 hour
  • • Regular disaster recovery testing
  • • Comprehensive backup procedures

🔍 Transparency & Accountability

Sub-processor Transparency

Complete transparency about all third-party services that may process data on our behalf.

View Sub-processor List →

Security Documentation

Detailed security documentation available for enterprise customers and compliance teams.

Request Security Documentation →

Audit Rights

Customers can request security audits and receive compliance documentation as needed.

Contact Compliance Team →

📞 Security Contact

Our security team is here to address your questions, concerns, and security-related inquiries.

Security Issues: security@docyment.com

Privacy Questions: privacy@docyment.com

Compliance Inquiries: compliance@docyment.com

General Support: support@docyment.com

Security Vulnerabilities: If you discover a security vulnerability, please report it immediately to security@docyment.com. We take all reports seriously and will respond within 24 hours.